Security, et al

Take Aways from SANS Log Management Summit

Sat, 15 Jul 2006 15:30:04 GMT

It was a fascinating week at the SANS Log Management Summit. We heard from many different users who shared their experiences and lessons learned from log management efforts. Allen Paller did a great job of facilitating and moderating each session and keeping the discussions on track.

We also heard from a number of the key players in the log management and SE/IM space. It was evident that each vendor has produced some loyal customers some of whom came to the summit and shared their success stories. That was useful because it helped zero in on the verticals and company sizes where each vendor is strong.

Playing well with others

Log management is not a pure security effort and the smart IT security officer will work with others especially IT operations, compliance and legal teams to ensure the project gets funded, maximizes value, enhances legal recourse against bad guys and doesn’t introduce new legal risks associated with privacy.

To justify the expense of a top shelf log management solution you have to realize that log management is Security, Operations and Compliance folks from all three areas need to support and pay for the project.

“Legal is your friend”

One user stressed that statement and explained that legal can help justify your project in terms of enhanced legal recourse and that legal can help you with regard to the fast changing laws and judicial precedents regarding custody of evidence and privacy.

The legal landscape is very dynamic right now and varies widely from one government to the next. You’ll be surprised in some jurisdictions what is considered personal information – even IP addresses! It pays to find a law firm familiar with the current laws in each region of the world where you do business.

IT Security and IT Operations

A common thread to many presentations was that Log Management is key to security but also to operational excellence and that a successful log management implementation allows operations staff to leverage the wealth of information in logs to better manage their systems and plan. One user said that it’s best politically and business value proposition to view IT Ops as the owner of the log data from their respective systems and IT Security as the custodian of that data.

A key challenge to allowing IT Ops to reap their value points from a central log management solution is ensuring the integrity of the log database and limiting each operations/administration team to viewing information related to their own systems and not others. A number of vendors said they are responding to this requirement with role based access control (RBAC) features.

It also pays off from a security standpoint to have operations staff looking at reports and dashboards based on security logs because these people understand their systems and what’s normal better than IT security staff who are often more generalist.

OK, I’ve got my logs all in one place, now what do I do with the data?

Many users said it’s important to clearly identify what you want to accomplish with log management and which systems to start with – don’t bite off everything at once. (Seems obvious with so many logs on so many systems it’s easy to lose site of the forest for the trees.)

Vendors also stressed that you need to “know your systems” so that you can design reports, alerts and dashboards that digest the arcane and esoterica of logs into real information. In fact one vendor said they view their role as a facilitator for consultants like me with subject matter expertise to help customers build intelligence into their log management solution. I’m happy to consult but I must say that I take issue with that attitude in so far as it relates to the log management space and user community.

By the overloaded field of log management products out there it’s evident that the industry can build a tool that collects and consolidate logs and provide rudimentary query builders.

But the next step in providing value and opportunity for distinguishing themselves is for vendors to build more intelligence into the product for common sources of log data so that users can stop re-inventing the wheel. Many users have complained to me that they’ve had to pay their vendor’s professional services division to learn their systems and build reports and alerts only to have the vendor add them to subsequent releases of the product. This results in existing customers funding the development of new features for future customers.

One vendor admitted they are a mile wide but an inch deep. This vendor is ramping up a project strengthen their product in this area. At Monterey Technology Group, Inc. we want to help log management vendors and their customers stop reinventing the wheel and get more return on investment. You’ll be hearing more our project code named Rosetta in the near future and I believe it will be come a distinguishing feature when evaluating offers in the log management space.

Celebrate and Advertise Success

I’ll sign off with one last thought that a user shared which is a good tip for ensuring management and your overall organization recognize the value of log management and to keep funding the effort when budgets get tight.

He expressed that log management can be a never ending project since there are always more devices, systems, databases and applications coming on board that generate log data. An executive who paid for a large part of the project asked one day when they were going to be done and get the ROI.

He realized then that they should have been alert and regular in advertising and celebrating successes along the way because there had been many but they’d just kept moving on with implementation and had neglected internal PR.

So after you put all that work into log management, make sure you communicate the benefits.